IPv6 Setup Question/issue



  • Hey,

    I installed a fresh copy of pfSense 2.1.3 today, and am attempting to set up IPv6.

    My host provided me with a /64. For the purpose of this post that will be 2607:8675:309:8888::/64.

    In the web interface, I have configured the WAN interface as static, with the address 2607:8675:309:8888:1000::/68. The LAN interface is 2607:8675:309:8888:2000::/68.

    The gateway on the WAN interface is set to the value provided by my host. When I am in the pfSense shell, I can ping out to hosts on the internet just fine.

    I have DHCPv6 enabled on the LAN side, with the dhcp range being 2607:8675:309:8888:2000:: to 2607:8675:309:8888:200f::. I changed nothing else from the defaults, aside from setting Google's DNS servers.

    Router advertisements on the LAN side is set to "Managed".

    In the pfSense shell, I can ping out to the internet, and to hosts on the LAN side who received addresses assigned by DHCPv6. From hosts on the LAN side, they can ping pfSense's LAN interface, but not out to the internet.

    This is where I'm stumped. Any help would be greatly appreciated!

    Edit: I do have the LAN firewall rule for IPv6 set/enabled (this exists by default in 2.1+).

    Edit2: After a discussion in the pfSense IRC, I learned that /64 is the smallest subnet that "should" exist and SLAAC/Router Advertisement will not work on anything smaller than a /64. Does this mean I'm SOL?



  • Sounds like same issue that was being discussed here:  https://forum.pfsense.org/index.php?topic=76319.0

    No solution.



  • @dpedu:

    Edit2: After a discussion in the pfSense IRC, I learned that /64 is the smallest subnet that "should" exist and SLAAC/Router Advertisement will not work on anything smaller than a /64. Does this mean I'm SOL?

    You could configure pfSense as a transparent firewall; see this thread for some pointers.



  • Also, the reason your LAN-side hosts can't talk to the outside world is most likely actually exactly the opposite: The outside world does not know how to get to your LAN; your ISP won't know that packets for 2607:8675:309:8888:2000::/68 have to be routed to 2607:8675:309:8888:1000::/68.

    If you don't want to go the transparent firewall route, you might be able to make this work by having your pfSense box act as an NDP proxy for the machines behind it.

    EDIT: NDP proxy still won't solve the issue of SLAAC not working on anything smaller than a /64, though. Tho I guess you might be ok if all your clients support DHCP6?



  • Hey, thanks for the replies. I'll look into setting it up as a transparent firewall.


Log in to reply